hashicorp · tomhjp · Aug 27, 2021 · Jul 23, 2021 · Jul 23, 2021 · Jul 30, 2021
diff --git a/vault/resource_consul_secret_backend.go b/vault/resource_consul_secret_backend.go
@@ -90,6 +90,13 @@ func consulSecretBackendResource() *schema.Resource {
 				Description: "Client key used for Consul's TLS communication, must be x509 PEM encoded and if this is set you need to also set client_cert.",
 				Sensitive:   true,
 			},
+			"local": {
+				Type:        schema.TypeBool,
+				ForceNew:    true,
+				Optional:    true,
+				Default:     false,
+				Description: "Specifies if the secret backend is local only",
+			},
 		},
 	}
 }
@@ -104,12 +111,14 @@ func consulSecretBackendCreate(d *schema.ResourceData, meta interface{}) error {
 	ca_cert := d.Get("ca_cert").(string)
 	client_cert := d.Get("client_cert").(string)
 	client_key := d.Get("client_key").(string)
+	local := d.Get("local").(bool)
 
 	configPath := consulSecretBackendConfigPath(path)
 
 	info := &api.MountInput{
 		Type:        "consul",
 		Description: d.Get("description").(string),
+		Local:       local,
 		Config: api.MountConfigInput{
 			DefaultLeaseTTL: fmt.Sprintf("%ds", d.Get("default_lease_ttl_seconds")),
 			MaxLeaseTTL:     fmt.Sprintf("%ds", d.Get("max_lease_ttl_seconds")),
@@ -182,6 +191,7 @@ func consulSecretBackendRead(d *schema.ResourceData, meta interface{}) error {
 	d.Set("description", mount.Description)
 	d.Set("default_lease_ttl_seconds", mount.Config.DefaultLeaseTTL)
 	d.Set("max_lease_ttl_seconds", mount.Config.MaxLeaseTTL)
+	d.Set("local", mount.Local)
 
 	log.Printf("[DEBUG] Reading %s from Vault", configPath)
 	secret, err := client.Logical().Read(configPath)

diff --git a/vault/resource_consul_secret_backend_test.go b/vault/resource_consul_secret_backend_test.go
@@ -29,6 +29,23 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "127.0.0.1:8500"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "http"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
+					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "ca_cert"),
+					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_cert"),
+					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_key"),
+				),
+			},
+			{
+				Config: testConsulSecretBackend_initialConfigLocal(path, token),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "path", path),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "description", "test description"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "default_lease_ttl_seconds", "3600"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "max_lease_ttl_seconds", "86400"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "127.0.0.1:8500"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "http"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "true"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "ca_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_key"),
@@ -44,6 +61,7 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "consul.domain.tld:8501"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "https"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "ca_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_cert"),
 					resource.TestCheckNoResourceAttr("vault_consul_secret_backend.test", "client_key"),
@@ -59,6 +77,7 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "consul.domain.tld:8501"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "https"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "ca_cert", "FAKE-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_cert", "FAKE-CLIENT-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_key", "FAKE-CLIENT-CERT-KEY-MATERIAL"),
@@ -74,6 +93,7 @@ func TestConsulSecretBackend(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "address", "consul.domain.tld:8501"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "token", token),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "scheme", "https"),
+					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "local", "false"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "ca_cert", "FAKE-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_cert", "UPDATED-FAKE-CLIENT-CERT-MATERIAL"),
 					resource.TestCheckResourceAttr("vault_consul_secret_backend.test", "client_key", "UPDATED-FAKE-CLIENT-CERT-KEY-MATERIAL"),
@@ -118,6 +138,19 @@ resource "vault_consul_secret_backend" "test" {
 }`, path, token)
 }
 
+func testConsulSecretBackend_initialConfigLocal(path, token string) string {
+	return fmt.Sprintf(`
+resource "vault_consul_secret_backend" "test" {
+  path = "%s"
+  description = "test description"
+  default_lease_ttl_seconds = 3600
+  max_lease_ttl_seconds = 86400
+  address = "127.0.0.1:8500"
+  token = "%s"
+  local = true
+}`, path, token)
+}
+
 func testConsulSecretBackend_updateConfig(path, token string) string {
 	return fmt.Sprintf(`
 resource "vault_consul_secret_backend" "test" {

diff --git a/vault/resource_jwt_auth_backend.go b/vault/resource_jwt_auth_backend.go
@@ -122,6 +122,13 @@ func jwtAuthBackendResource() *schema.Resource {
 				Computed:    true,
 				Description: "The accessor of the JWT auth backend",
 			},
+			"local": {
+				Type:        schema.TypeBool,
+				ForceNew:    true,
+				Optional:    true,
+				Default:     false,
+				Description: "Specifies if the auth method is local only",
+			},
 			"provider_config": {
 				Type:        schema.TypeSet,
 				Optional:    true,
@@ -206,12 +213,16 @@ func jwtAuthBackendWrite(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
 	authType := d.Get("type").(string)
-	desc := d.Get("description").(string)
 	path := getJwtPath(d)
+	options := &api.EnableAuthOptions{
+		Type:        authType,
+		Description: d.Get("description").(string),
+		Local:       d.Get("local").(bool),
+	}
 
 	log.Printf("[DEBUG] Writing auth %s to Vault", authType)
 
-	err := client.Sys().EnableAuth(path, authType, desc)
+	err := client.Sys().EnableAuthWithOptions(path, options)
 
 	if err != nil {
 		return fmt.Errorf("error writing to Vault: %s", err)
@@ -278,6 +289,7 @@ func jwtAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 	}
 
 	d.Set("type", backend.Type)
+	d.Set("local", backend.Local)
 
 	d.Set("accessor", backend.Accessor)
 	for _, configOption := range matchingJwtMountConfigOptions {

diff --git a/vault/resource_jwt_auth_backend_test.go b/vault/resource_jwt_auth_backend_test.go
@@ -28,6 +28,19 @@ func TestAccJWTAuthBackend(t *testing.T) {
 					resource.TestCheckResourceAttrSet("vault_jwt_auth_backend.jwt", "accessor"),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", ""),
 					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "type", "jwt"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "local", "false"),
+				),
+			},
+			{
+				Config: testAccJWTAuthLocalBackendConfig(path),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "description", "JWT backend"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "oidc_discovery_url", "https://myco.auth0.com/"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "path", path),
+					resource.TestCheckResourceAttrSet("vault_jwt_auth_backend.jwt", "accessor"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "bound_issuer", ""),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "type", "jwt"),
+					resource.TestCheckResourceAttr("vault_jwt_auth_backend.jwt", "local", "true"),
 				),
 			},
 			{
@@ -165,6 +178,17 @@ resource "vault_jwt_auth_backend" "jwt" {
 `, path)
 }
 
+func testAccJWTAuthLocalBackendConfig(path string) string {
+	return fmt.Sprintf(`
+resource "vault_jwt_auth_backend" "jwt" {
+  description = "JWT backend"
+  oidc_discovery_url = "https://myco.auth0.com/"
+  path = "%s"
+  local = true
+}
+`, path)
+}
+
 func testAccJWTAuthBackendConfigFullOIDC(path string, oidcDiscoveryUrl string, boundIssuer string, supportedAlgs string) string {
 	return fmt.Sprintf(`
 resource "vault_jwt_auth_backend" "jwt" {

diff --git a/vault/resource_ldap_auth_backend.go b/vault/resource_ldap_auth_backend.go
@@ -118,7 +118,13 @@ func ldapAuthBackendResource() *schema.Resource {
 				return strings.Trim(v.(string), "/")
 			},
 		},
-
+		"local": {
+			Type:        schema.TypeBool,
+			ForceNew:    true,
+			Optional:    true,
+			Default:     false,
+			Description: "Specifies if the auth method is local only",
+		},
 		"accessor": {
 			Type:        schema.TypeString,
 			Computed:    true,
@@ -161,12 +167,15 @@ func ldapAuthBackendConfigPath(path string) string {
 func ldapAuthBackendWrite(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*api.Client)
 
-	authType := ldapAuthType
 	path := d.Get("path").(string)
-	desc := d.Get("description").(string)
+	options := &api.EnableAuthOptions{
+		Type:        ldapAuthType,
+		Description: d.Get("description").(string),
+		Local:       d.Get("local").(bool),
+	}
 
 	log.Printf("[DEBUG] Enabling LDAP auth backend %q", path)
-	err := client.Sys().EnableAuth(path, authType, desc)
+	err := client.Sys().EnableAuthWithOptions(path, options)
 	if err != nil {
 		return fmt.Errorf("error enabling ldap auth backend %q: %s", path, err)
 	}
@@ -291,6 +300,7 @@ func ldapAuthBackendRead(d *schema.ResourceData, meta interface{}) error {
 
 	d.Set("description", authMount.Description)
 	d.Set("accessor", authMount.Accessor)
+	d.Set("local", authMount.Local)
 
 	path = ldapAuthBackendConfigPath(path)
 

diff --git a/vault/resource_ldap_auth_backend_test.go b/vault/resource_ldap_auth_backend_test.go
@@ -22,7 +22,7 @@ func TestLDAPAuthBackend_import(t *testing.T) {
 		CheckDestroy: testLDAPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "false"),
+				Config: testLDAPAuthBackendConfig_basic(path, "false", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
@@ -44,15 +44,23 @@ func TestLDAPAuthBackend_basic(t *testing.T) {
 		CheckDestroy: testLDAPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "true"),
+				Config: testLDAPAuthBackendConfig_basic(path, "true", "true"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "false"),
+				Config: testLDAPAuthBackendConfig_basic(path, "false", "true"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_basic(path, "true"),
+				Config: testLDAPAuthBackendConfig_basic(path, "true", "false"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_basic(path, "false", "false"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_basic(path, "true", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 		},
@@ -68,15 +76,23 @@ func TestLDAPAuthBackend_tls(t *testing.T) {
 		CheckDestroy: testLDAPAuthBackendDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testLDAPAuthBackendConfig_tls(path, "true"),
+				Config: testLDAPAuthBackendConfig_tls(path, "true", "true"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_tls(path, "false", "true"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_tls(path, "false"),
+				Config: testLDAPAuthBackendConfig_tls(path, "true", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 			{
-				Config: testLDAPAuthBackendConfig_tls(path, "true"),
+				Config: testLDAPAuthBackendConfig_tls(path, "false", "false"),
+				Check:  testLDAPAuthBackendCheck_attrs(path),
+			},
+			{
+				Config: testLDAPAuthBackendConfig_tls(path, "true", "false"),
 				Check:  testLDAPAuthBackendCheck_attrs(path),
 			},
 		},
@@ -137,6 +153,11 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 			return fmt.Errorf("accessor in state %s does not match accessor returned from vault %s", instanceState.Attributes["accessor"], authMount.Accessor)
 		}
 
+		l := instanceState.Attributes["local"] == "true"
+		if l != authMount.Local {
+			return fmt.Errorf("local bool in state for %s does not match value returned from vault: State: %t, Vault: %t", path, l, authMount.Local)
+		}
+
 		configPath := "auth/" + endpoint + "/config"
 
 		resp, err := client.Logical().Read(configPath)
@@ -243,11 +264,12 @@ func testLDAPAuthBackendCheck_attrs(path string) resource.TestCheckFunc {
 	}
 }
 
-func testLDAPAuthBackendConfig_basic(path, use_token_groups string) string {
+func testLDAPAuthBackendConfig_basic(path, use_token_groups string, local string) string {
 
 	return fmt.Sprintf(`
 resource "vault_ldap_auth_backend" "test" {
     path                   = "%s"
+    local                  = %s
     url                    = "ldaps://example.org"
     starttls               = true
     tls_min_version        = "tls11"
@@ -261,15 +283,16 @@ resource "vault_ldap_auth_backend" "test" {
 
     use_token_groups = %s
 }
-`, path, use_token_groups)
+`, path, local, use_token_groups)
 
 }
 
-func testLDAPAuthBackendConfig_tls(path, use_token_groups string) string {
+func testLDAPAuthBackendConfig_tls(path, use_token_groups string, local string) string {
 
 	return fmt.Sprintf(`
 resource "vault_ldap_auth_backend" "test" {
     path                   = "%s"
+    local                  = %s
     url                    = "ldaps://example.org"
     starttls               = true
     tls_min_version        = "tls11"
@@ -359,6 +382,6 @@ MvQzNd87hRypUZ9Hyx2C9RljNDHHjgwYwWv9JOT0xEOS4ZAaPfvTf20=
 EOT
     use_token_groups = %s
 }
-`, path, use_token_groups)
+`, path, local, use_token_groups)
 
 }
diff --git a/website/docs/r/consul_secret_backend.html.md b/website/docs/r/consul_secret_backend.html.md
@@ -58,6 +58,8 @@ on `token`. Changing the value, however, _will_ overwrite the previously stored
 * `max_lease_ttl_seconds` - (Optional) The maximum TTL that can be requested
 for credentials issued by this backend.
 
+* `local` - (Optional) Specifies if the secret backend is local only.
+
 ## Attributes Reference
 
 No additional attributes are exported by this resource.

diff --git a/website/docs/r/jwt_auth_backend.html.md b/website/docs/r/jwt_auth_backend.html.md
@@ -73,6 +73,8 @@ The following arguments are supported:
 
 * `provider_config` - (Optional) Provider specific handling configuration
 
+* `local` - (Optional) Specifies if the auth method is local only.
+
 * tune - (Optional) Extra configuration block. Structure is documented below.
 
 The `tune` block is used to tune the auth backend:

diff --git a/website/docs/r/ldap_auth_backend.html.md b/website/docs/r/ldap_auth_backend.html.md
@@ -69,6 +69,8 @@ The following arguments are supported:
 
 * `description` - (Optional) Description for the LDAP auth backend mount
 
+* `local` - (Optional) Specifies if the auth method is local only.
+
 ### Common Token Arguments
 
 These arguments are common across several Authentication Token resources since Vault 1.2.